Pivot Point Perspective: The ONC Final Rule

The 21st Century Cures Act released its final rule on March 9th, 2020. This rule focuses on Interoperability, Information Blocking and the ONC Health IT Certification Program. It was released in conjunction with CMS’s Interoperability and Patient Access final rule, known as CMS-9115-F.

These final rules mark the most extensive healthcare data sharing policies issued by the government to date. The goal of these rules is twofold. Firstly, they aim to foster data sharing among healthcare entities and patients. Secondly, they ensure the security of medical records.

We’ll be publishing a series of posts to help executives understand the rules and focus on their healthcare group’s priorities. These Briefs are tailored toward provider organizations. They’ll help ensure their systems, vendor partnerships, policies and procedures and workforce are ready in advance of key deadlines. This first Brief covers information blocking, as a significant portion of the ONC final rule addresses this topic.

What is information blocking and who must comply with the information blocking provisions?

Information blocking is defined as a practice that:

1. is likely to interfere with access, exchange and use of electronic health information (EHI) except as required by law or covered by an exception; and
2. if conducted by a health IT developer, health information network or health information exchange, such person or entity knows, or should know, that such practice is likely to interfere with, prevent or significantly discourage access, exchange or use of EHI; or
3. if conducted by a provider, such provider knows this practice is unreasonable and likely to interfere with, prevent or significantly discourage access, exchange or use of EHI.

The ONC rule defines EHI as electronic protected health information in a designated record set (per HIPAA regulations). It also notes that for the 24 months after publication of the rule, the EHI scope for the purposes of the information blocking is limited to the data elements in the USCDI standard also adopted in the final rule.

Healthcare providers, health information networks or exchanges and developers of certified health IT must comply with the information blocking provisions. The definition of healthcare provider broadly covers hospitals and clinics, and other care settings across the continuum of care.

Importantly, the rule states providers would not be considered to be interfering with access, exchange or use of EHI if they’re engaging in practices to educate patients about privacy and security risks posed by the apps patients choose to receive their EHI and provide them information to help in their decision making.

8 Exceptions to Information Blocking for ONC Final Rule

CATEGORY I: Exceptions that involve not fulfilling requests to access, exchange, or use of EHI:

1. Practices reasonable and necessary to prevent harm to a patient or another person.
2. Protecting a patient’s privacy.
3. When interfering with the access, exchange, or use of EHI to protect the security of the EHI.
4. Infeasible requests due to legitimate practical challenges, such as technological or legal.
5. Taking reasonable and necessary measures to temporarily make IT unavailable or degrade performance to improve the IT’s overall performance.

CATEGORY II: Exceptions that involve procedures for fulfilling requests to access, exchange, or

1. Limiting a response to a request for access, exchange, use of EHI or manner in which the request if fulfilled. Specific requirements must be met to use this exception. They must provide the data elements that are identified in the USCDI standard for the first 24 months after the final rule is published. Following that, providers must respond with EHI as defined in the rule.
2. Charging fees that result in a reasonable profit margin, for accessing, exchanging or using EHI. This exception doesn’t allow providers to charge patients, representatives or anyone the patient allows electronic access to the patient’s EHI.
3. In cases where the “actor” licenses its interoperability elements for EHI to be accessed, exchanged, or used.

The caveat for each of the 8 exceptions is that providers must meet certain conditions to satisfy an exception.

When must healthcare providers comply with the information blocking provisions?

Providers have 6 months from the date the final rule is published in the Federal Register to understand and implement policies and procedures supporting the eight information blocking exceptions. They’re subject to enforcement or disincentives only after that time period. The effective date of enforcement would not be any earlier than the compliance date and may be later. Furthermore, this is dependent on the Office of Inspector General (OIG) forthcoming rules on information blocking enforcement.

The ONC has extended compliance date to April 5, 2021. Read here for more information.